In today's networked computing environment, it is often difficult to prevent the spread of computer system integrity threats such as viruses, worms, and Trojan horses, due to an increased visibility of computer system vulnerabilities and expedited creation of computer system integrity threats against these vulnerabilities. Vendors of operating system and application software routinely announce the release of a software patch or software version update that remediates a newly publicized vulnerability. As soon as such vulnerabilities are announced, malicious coders begin working on threats to attack these vulnerabilities. The time cycle between the publication of a new vulnerability and the release of a corresponding threat on the public Internet is rapidly declining. For example, threats, such as computer viruses, may be released within hours of a software patch release instead of days, weeks, or months as was common in the past.
In a large network environment such as an enterprise network, the logistics of testing and applying such patches and updates across multiple computer systems often prevents many vulnerable computer systems from being secured (patched or updated) before a threat is released. To some extent, system management and software deployment tools help to expedite the deployment of these patches and updates, but large environments may still experience substantial penetration by these threats. This risk of penetration is increased when software patches and updates are released after a threat has targeted a vulnerability.
Often times, virus defense software vendors will release virus definitions (virus signature updates) to combat these threats, but the distribution of virus definition files to large networks of computer systems presents a similar logistical challenge. The virus defense software located on each computer system is only as effective as the most recently distributed virus definition file. Until these systems are updated with the latest definitions, they are powerless to defend themselves from threats with such definitions.
Another existing approach to defending against virus attacks is to utilize a local detection agent that validates system configuration state before allowing a system to connect to the network. An example of such a system is Network Admission Control (NAC), marketed by Cisco Systems Inc. Although such techniques may be useful for verifying the presence and activation state of protective agent software, it too is faced with limitations. The NAC agent is only as effective as its last distributed security policy, and the agents that it is validating (virus, personal firewall, etc.) can only defend against threats pre-defined in their signature files.
The end result is that even in well-protected environments, virus threats will be experienced, and these threats can create significant damage once resident in a networked computer system, such as a corporate intranet. Existing solutions may mitigate the risks associated with a virus not yet experienced, or prevent systems with weak protection from joining a network. However, such systems are ineffective at reducing the risk associated with an active, dynamic network once a virus threat has already been introduced.
Accordingly, there is a need in the art for improvements in reducing the vulnerability of a computer network to virus threats. There is a continuing need in the art for a system that can respond to detected threats to automatically limit further exposure of the computer network to the detected threat. The present invention is designed to address these needs.